aboutsummaryrefslogtreecommitdiffstats
path: root/src/libstrongswan
Commit message (Collapse)AuthorAgeFilesLines
...
* android: Enable build against API level 21Tobias Brunner2016-03-231-0/+17
| | | | | | | While building against this level in general would break our app on older systems, the NDK will automatically use this level for 64-bit ABI builds (which are not supported in older levels). So to build against 64-bit ABIs we have to support this API level.
* Fix some Doxygen issuesTobias Brunner2016-03-112-8/+8
|
* identification: Make `written` signed to fix error checking when printing rangesTobias Brunner2016-03-111-3/+3
|
* Implemented IPv4/IPv6 subnet and range identitiesAndreas Steffen2016-03-102-79/+563
| | | | | | The IKEv1 IPV4_ADDR_SUBNET, IPV6_ADDR_SUBNET, IPV4_ADDR_RANGE and IPV6_ADDR_RANGE identities have been fully implemented and can be used as owners of shared secrets (PSKs).
* auth-cfg: Add a rule to suspend certificate validation constraintsTobias Brunner2016-03-102-0/+18
|
* credential-manager: Check cache queue when destroying trusted certificate ↵Tobias Brunner2016-03-101-1/+2
| | | | | | | | | | enumerator We already do this in the trusted public key enumerator (which internally uses the trusted certificate enumerator) but should do so also when this enumerator is used directly (since the public key enumerator has the read lock the additional call will just be skipped there).
* credential-manager: Make online revocation checks optional for public key ↵Tobias Brunner2016-03-102-3/+9
| | | | enumerator
* library: Add option to register additional namespaces before calling ↵Tobias Brunner2016-03-082-2/+43
| | | | | | | | | | library_init() Because settings are already accessed in library_init(), calling add_fallback() externally after calling library_init() is not ideal. This way namespaces already serve as fallback while library_init() is executed and they are also in the correct order so that libstrongswan is always the last root section.
* linked-list: Add method to compare two lists of objects for equalityTobias Brunner2016-03-083-2/+166
|
* byteorder: Simplify htoun64/untoh64 functionsTobias Brunner2016-03-041-27/+0
|
* byteorder: Always define be64toh/htobe64 macrosTobias Brunner2016-03-041-20/+30
|
* auth-cfg: Make IKE signature schemes configurableTobias Brunner2016-03-045-37/+187
| | | | | | This also restores the charon.signature_authentication_constraints functionality, that is, if no explicit IKE signature schemes are configured we apply all regular signature constraints as IKE constraints.
* ikev2: Diversify signature scheme ruleThomas Egerer2016-03-042-30/+68
| | | | | | | This allows for different signature schemes for IKE authentication and trustchain verification. Signed-off-by: Thomas Egerer <thomas.egerer@secunet.com>
* thread: Allow thread ID to be value returned by gettid()Thomas Egerer2016-03-043-14/+32
| | | | Signed-off-by: Thomas Egerer <thomas.egerer@secunet.com>
* libhydra: Remove empty unused libraryTobias Brunner2016-03-031-1/+0
|
* utils: Add enum name for pseudo log group 'any'Tobias Brunner2016-02-051-2/+4
|
* unit-tests: The pseudonym RDN is now recognized, so use something more exoticTobias Brunner2016-01-281-3/+3
|
* Support pseudonym RDNAndreas Steffen2016-01-273-0/+5
|
* vici: list-cert sends subject, not-before and not-after attributes for pubkeysAndreas Steffen2016-01-091-0/+1
|
* vici: Support of raw public keysAndreas Steffen2016-01-092-0/+15
|
* Apply pubkey and signature constraints in vici pluginAndreas Steffen2015-12-172-0/+117
|
* 128 bit default security strength for IKE and ESP algorithmsAndreas Steffen2015-12-171-19/+19
| | | | | | | | | | | | | | | | | The default ESP cipher suite is now AES_CBC-128/HMAC_SHA2_256_128 and requires SHA-2 HMAC support in the Linux kernel (correctly implemented since 2.6.33). The default IKE cipher suite is now AES_CBC-128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_256 if the openssl plugin is loaded or AES_CBC-128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_3072 if ECC is not available. The use of the SHA-1 hash algorithm and the MODP_2048 DH group has been deprecated and ENCR_CHACHA20_POLY1305 has been added to the default IKE AEAD algorithms.
* libstrongswan: Updated Android.mk to current Makefile.amTobias Brunner2015-12-141-1/+2
|
* 128 bit default security strength requires 3072 bit prime DH groupAndreas Steffen2015-12-143-16/+16
|
* Refactored certificate management for the vici and stroke interfaces5.4.0dr1Andreas Steffen2015-12-122-30/+130
|
* Changed some certificate_type_names and added x509_flag_namesAndreas Steffen2015-12-114-5/+37
|
* Allow msSmartcardLogon EKU to be builtAndreas Steffen2015-12-111-2/+2
|
* Print OCSP single responsesAndreas Steffen2015-12-113-5/+122
|
* Standardized printing of certificate informationAndreas Steffen2015-12-113-0/+653
| | | | | | | The certificate_printer class allows the printing of certificate information to a text file (usually stdout). This class is used by the pki --print and swanctl --list-certs commands as well as by the stroke plugin.
* array: Add an insert/create function for value based arraysMartin Willi2015-12-073-0/+68
|
* byteorder: Provide a fallback for le32toh/htole32()Martin Willi2015-12-041-0/+20
| | | | | Some older toolchains don't provide these macros, so implement them using the gcc builtins. We also provide 64-bit variants as used by chapoly.
* byteorder: Add 32-bit unaligned little-endian conversion functionsMartin Willi2015-12-042-21/+27
|
* watcher: Check for cancellation if poll() fails with EINTRMartin Willi2015-12-041-0/+7
| | | | | | | With LinuxThreads, poll() is unfortunately no cancellation point. It seems that poll gets woken up after cancellation, but we actively must check for cancellation before re-entering poll to properly shut down the watcher thread.
* sigwaitinfo() may fail with EINTR if interrupted by an unblocked signal not ↵Tobias Brunner2015-11-231-1/+4
| | | | | | in the set Fixes #1213.
* utils: Use the more low-level __NR_ prefix to refer to the syscall numberTobias Brunner2015-11-171-1/+1
| | | | The __NR_ constants are also defined in the Android headers.
* utils: Provide a fallback for sigwaitinfo() if neededTobias Brunner2015-11-133-30/+36
| | | | | Apparently, not available on Mac OS X 10.10 Yosemite. We don't provide this on Windows.
* revocation: Allow CRLs to be encoded in PEM formatTobias Brunner2015-11-121-1/+1
| | | | | | | | | | Since the textual representation for a CRL is now standardized in RFC 7468 one could argue that we should accept that too, even though RFC 5280 explicitly demands CRLs fetched via HTTP/FTP to be in DER format. But in particular for file URIs enforcing that seems inconvenient. Fixes #1203.
* curl: Be less strict when considering status codes as errorsTobias Brunner2015-11-121-3/+3
| | | | | | | For file:// URIs the code is 0 on success. We now do the same libcurl would do with CURLOPT_FAILONERROR enabled. Fixes #1203.
* auth-cfg: Prefer merged rules over existing ones when moving themTobias Brunner2015-11-121-3/+3
| | | | | | This is particularly important for single valued rules (e.g. identities). When copying values this is already handled correctly by the enumerator and add().
* android: Provide a fallback for sigwaitinfo()Tobias Brunner2015-11-121-1/+29
|
* android: Replace AndroidConfigLocal.h with a header in utils/compatTobias Brunner2015-11-124-5/+16
|
* settings: Add settings_value_as_uint64() helper functionTobias Brunner2015-11-113-0/+58
|
* traffic-selector: Don't end printf'ed list of traffic selectors with a spaceTobias Brunner2015-11-102-8/+7
|
* plugin-loader: Optionally use RTLD_NOW with dlopen()Tobias Brunner2015-11-091-6/+11
| | | | | | | | | This can be useful when writing custom plugins as typos or missing linker flags that result in unresolved symbols in the shared object could otherwise cause late crashes. In particular, if such a symbol is used in a code path that is rarely executed. During development and testing using RTLD_NOW instead of RTLD_LAZY will prevent the plugin from getting loaded and makes the error visible immediately.
* windows: Define RTLD_NOW, even if it is not usedTobias Brunner2015-11-091-0/+5
|
* iv-gen: Use NULL IV generator for NULL encryptionTobias Brunner2015-11-091-0/+5
| | | | | | | | | | | | We don't need an IV for NULL encryption, so we wouldn't technically need an IV generator. But some of the code currently relies on an IV generator to be present. So we don't have to change that code and handle IV size == 0 specially we use the new NULL IV generator, which handles this transparently to the existing code. Before 3c81cb6fc322 ("aead: Create AEAD using traditional transforms with an explicit IV generator") iv_gen_rand_t was used for NULL encryption, which would work too but this way it's clearer.
* crypto: Add NULL IV generatorTobias Brunner2015-11-094-1/+98
| | | | | This does not actually allocate an IV and only accepts requests for size == 0.
* testing: Updated hasher testsAndreas Steffen2015-11-062-4/+83
|
* Explicitly mention SHA2 algorithm in BLISS OIDs and signature schemesAndreas Steffen2015-11-0611-86/+106
|
* Use word-aligned XOR in sha3_absorb()Andreas Steffen2015-11-031-4/+47
|
generated by cgit v1.2.3 (git 2.25.1) at 2025-08-22 03:17:33 +0000